diff options
| author | Andreas Eriksen <andreer@verizonmedia.com> | 2020-06-11 10:31:20 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2020-06-11 10:31:20 +0200 |
| commit | 54828b73bcea1d086b145453b318bfdcdfef93b8 (patch) | |
| tree | 958584a90f51ce2d6ea58c2f57b5da34a9a44878 /controller-api | |
| parent | 1aaaa34cc41bc4bcf8f9448c637e8ee5fa551200 (diff) | |
tenant creation for everyone in public (with restrictions/gated by flag) (#13538)
* tenant creation for everyone in public (with restrictions/gated by flag)
* always include feature flag value in user api
Co-authored-by: Jon Marius Venstad <jonmv@users.noreply.github.com>
Diffstat (limited to 'controller-api')
3 files changed, 6 insertions, 12 deletions
diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java index fc904b9d1a0..9a5a0ad0e77 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/Policy.java @@ -48,15 +48,10 @@ enum Policy { .on(PathGroup.user) .in(SystemName.main, SystemName.cd, SystemName.dev)), - /** Access to create a tenant in select systems. */ + /** Access to create a tenant. */ tenantCreate(Privilege.grant(Action.create) .on(PathGroup.tenant) - .in(SystemName.main, SystemName.cd, SystemName.dev)), // TODO SystemName.all() - - /** Access to create a tenant in public */ - tenantCreatePublic(Privilege.grant(Action.create) - .on(PathGroup.tenant) - .in(SystemName.PublicCd, SystemName.Public)), + .in(SystemName.all())), /** Full access to tenant information and settings. */ tenantDelete(Privilege.grant(Action.delete) diff --git a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java index ad7b3f68440..bf5ba4001fa 100644 --- a/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java +++ b/controller-api/src/main/java/com/yahoo/vespa/hosted/controller/api/role/RoleDefinition.java @@ -22,8 +22,7 @@ public enum RoleDefinition { hostedOperator(Policy.operator), /** Machina autem exspiravit. */ - hostedSupporter(Policy.supporter, - Policy.tenantCreatePublic), + hostedSupporter(Policy.supporter), /** Base role which every user is part of. */ everyone(Policy.classifiedRead, diff --git a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java index 2da93c5ceca..10d4732984c 100644 --- a/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java +++ b/controller-api/src/test/java/com/yahoo/vespa/hosted/controller/api/role/RoleTest.java @@ -6,7 +6,6 @@ import com.yahoo.config.provision.SystemName; import com.yahoo.config.provision.TenantName; import org.junit.Test; -import java.awt.event.AdjustmentEvent; import java.net.URI; import java.util.List; import java.util.stream.Stream; @@ -59,8 +58,9 @@ public class RoleTest { assertTrue(mainEnforcer.allows(role, Action.read, URI.create("/application/v4/tenant/t2/application/a2"))); assertFalse(mainEnforcer.allows(role, Action.delete, URI.create("/application/v4/tenant/t8/application/a6/instance/i1/environment/dev/region/r1"))); - // Check that we are allowed to create tenants in public - assertTrue(publicEnforcer.allows(role, Action.create, URI.create("/application/v4/tenant/t1"))); + // Check that we are allowed to create tenants in public. + // hostedSupporter isn't actually allowed to create tenants - but any logged in user will be a member of the "everyone" role. + assertTrue(publicEnforcer.allows(Role.everyone(), Action.create, URI.create("/application/v4/tenant/t1"))); } @Test |